Judge Dismisses Muchof PlayStation Hacking Suit

By LUCILE SCOTT

(CN) - A federal judge dealt a blow to PlayStation users who say that a Sony security breach exposed more than 69 million personal and credit card accounts to theft. The PlayStation Network, in conjunction with Qriocity, and Sony Online Entertainment, allows users with PlayStation 3 and PlayStation Portable consoles to play games over the Internet. For an additional fee, premium users can play against various third parties. Signup requires users to provide "personally identifying information to Sony, including their names, mailing addresses, email addresses, birth dates, credit and debit card information (card numbers, expiration dates and security codes) and login credentials," according to the court's summary. A class says that hackers infiltrated the online system on April 16 or 17, 2011, because Sony negligently failed to provide adequate firewalls and safeguards. The thieves allegedly made off with the personal info of millions of users. Three days later, Sony took the system offline, issuing a statement only that "[w]e're aware certain functions of PlayStation Network are down. We will report back here as soon as we can with more information," according to the complaint. PlayStateion Network and Qriocity remained offline for nearly a month and Sony Online Entertainment was down for two weeks, preventing users from accessing the services they had pre-purchased, the class says. On April 26, while still investigating the data breach, Sony finally admitted the theft, stating that the system failure "may have had a financial impact on our loyal customers. We are currently reviewing options and will update you when the service is restored." In May, Sony announced it would compensate users by providing "free identity theft protection services, certain free downloads and online services, and 'will consider' helping customers who have been issued new credit cards." The January 2012 federal class action in San Diego contends that Sony knew or should have known that its system was vulnerable to such an attack. In 2011 "a PS3 user successfully 'jailbroke' his PS3 console and posted instructions for doing it," according to the court's summary of the complaint. Despite the breach, Sony allegedly did nothing to beef up its safeguards. Sony immediately moved to dismiss, finding some relief from U.S. District Judge Anthony Battaglia last week. The 36-page order dismisses several claims such as negligence, unjust enrichment, bailment and violations of California consumer protection statutes. Sony did not violate consumer-protection laws "because none of the named plaintiffs subscribed to premium PSN services, and thus received the PSN services free of cost," Battaglia wrote. Though the class says Sony misrepresented the quality of its protections, the judge found that all users signed a Sony Privacy Policy that included "clear admonitory language that Sony's security was not 'perfect,'" therefore "no reasonable consumer could have been deceived." Battaglia gave the class leave to amend its claims for injunctive relief and violation of consumer protection law. The claim for restitution was dismissed with prejudice because Battaglia found that the plaintiffs had already purchased their consoles when they signed the privacy policy and therefore "reliance on such statements in purchasing their consoles is impossible." Battaglia also chucked the bailment charge with prejudice because "plaintiffs freely admit, plaintiffs' personal information was stolen as a result of a criminal intrusion of Sony's Network. Plaintiffs do not allege that Sony was in any way involved with the Data Breach." The unjust enrichment also failed with prejudice.